Skip to content
This repository has been archived by the owner on Jan 31, 2020. It is now read-only.

SessionManager Validates session_id After session_start() Causing a Warning #119

Open
sbani opened this issue Jul 2, 2019 · 2 comments
Open
Labels

Comments

@sbani
Copy link

sbani commented Jul 2, 2019

Hi,

session_start() in SessionManager is causing a warning using an id with invalid characters. This behaviour should be handled to prevent problems like "information disclosures". An attacker can trigger the warning too easy.

Code to reproduce the issue

        $config = new SessionConfig();
        $manager = Container::getDefaultManager();
        $manager->setConfig($config);

        $this->sessionContainer = new Container('foo', $manager);

Reproduce The Issue

% curl -I 'http://zend.local/' -H 'Cookie: PHPSESSID=_test_'
HTTP/2 500 
server: nginx/1.10.3
date: Tue, 02 Jul 2019 08:59:35 GMT
content-type: text/html; charset=UTF-8

Expected results

There a three possible ways to handle the situation:

  1. Suppress the warning, regenerate a new id, start the session again
if (! @session_start()) {
    $this->regenerateId();
    session_start();
}
  1. Suppress the warning but also throw an exception that the session is not be started
if (! @session_start()) {
    throw new Exception\RuntimeException('Failed to start the session');
}
  1. Just ignore the warning and move handling to the validators
@session_start();

I'm personally a fan of the first option because I think that the developer doesn't want to handle errors that occurred during session start.
"If the session doesn't start, just ignore the user provided id and create a new/correct one."

Actual results

.../vendor/zendframework/zend-session/src/SessionManager.php:140
session_start(): The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' [E_WARNING]

Zend\Session\Validator\Id is trying to address the problem, but fails to do so because the validation happens after session_start().

Related Issue

I found #21, but @SvenRtbg's comment is not 100% addressing what I'm concerned about.
My concern is information disclosures when the system is not handling warnings properly (never show any errors to the end user).

I hope the filed issue is clear and has enough details. Let me know if you need more background.

Best regards

@Xerkus Xerkus added the bug label Jul 2, 2019
@digitalStyx
Copy link

digitalStyx commented Jul 31, 2019

Hi,

Yesterday i had a lot of errors (fuzzing attack on session)

error_reporting session_start(): Failed to write session lock: A BAD KEY WAS PROVIDED/CHARACTERS OUT OF RANGE
line 140
code 2
file /export/www/test/vendor/zendframework/zend-session/src/SessionManager.php

or

session_start(): error getting session from memcached: (0x7f4238e96300) A BAD KEY WAS PROVIDED/CHARACTERS OUT OF RANGE, Key provided had invalid character. -> libmemcached/key.cc:103

and this is also, because SessionManager validates session_id after session_start()

I checked @sbani code to reproduce this issue, and I can see that even though session_id does not validate, the session was created on the memcache side

[test@devel DEVEL]$ memcached-tool localhost:11211 dump
Dumping memcache contents
add test 0 1561244503 0

@weierophinney
Copy link
Member

This repository has been closed and moved to laminas/laminas-session; a new issue has been opened at laminas/laminas-session#3.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

No branches or pull requests

4 participants